The “common data” category is not coded in the Regulation but has been coined by the practice of gathering in one single container the information other than those fallin in the “special data categories”, also known as “sensitive” or “judicial”, identified by law and target of a particular discipline.

The “common data” / “sensitive data” dichotomy may still have some meaning after the advent of Regulation 2016/679 but sees its relevance reduced as a result of the regulatory introduction of the risk-based approach that imposes on the Controller to assess the factual situation and the related risk in relation to the rights and freedoms of the data subjects.

It follows that even so-called “common” data, in a particular context and for specific purposes, could in theory expose the related processing to specific risks for the data subjects, requiring the adoption of appropriate caution and measures similar to those found when using “sensitive data”.